Automatic determination of required resource allocation of virtual machines

ABSTRACT

Virtual machine resources may be monitored for optimal allocation. One example method may include monitoring a virtual machine operating in a network to determine whether at least one predefined service tier threshold has been exceeded for a predefined amount of time, initiating a query to determine current performance threshold data of the at least one predefined service tier threshold from a database, determining at least one component state of at least one component of the virtual machine based on the at least one service tier threshold assigned to the at least one component, and reallocating the resource provided by the virtual machine when the component state indicates a high warning state.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to co-pending applications: U.S. patent application Ser. No. 11/767,173, filed on Jun. 22, 2007, titled “Method and system for cloaked observation and remediation of software attacks,” now issued U.S. Pat. No. 8,191,141; U.S. patent application Ser. No. 11/867,456, filed on Oct. 4, 2007, titled “Method and system for collaboration involving enterprise nodes,” now issued U.S. Pat. No. 8,336,108; and U.S. patent application Ser. No. 12/626,872, filed on Nov. 27, 2009, titled “Network traffic analysis using a dynamically updating ontological network description,” now issued U.S. Pat. No. 8,429,748.

This application is further related to the Applicant's copending applications: U.S. patent application Ser. No. 12/905,565, filed on Oct. 15, 2010 titled “Identification of business process application service groups,” now issued U.S. Pat. No. 8,825,838.

U.S. patent application Ser. No. 12/905,645 filed on Oct. 15, 2010 titled “System and method for migration of network entities to a cloud infrastructure.”

U.S. patent application Ser. No. 12/905,688 filed on Oct. 15, 2010 titled “Monitoring system performance changes based on configuration modification,” now issued U.S. Pat. No. 8,938,489.

U.S. patent application Ser. No. 12/905,761 filed on Oct. 15, 2010 titled “Indicating an impact of a change in state of a node,”, now issued U.S. Pat. No. 8,656,009.

U.S. patent application Ser. No. 12/905,850 filed on Oct. 15, 2010 titled “System and method for enterprise nodes that are contained within a public cloud to communicate with private enterprise infrastructure dependencies.”

U.S. patent application Ser. No. 12/905,879 filed on Oct. 15, 2010 titled “System and method for determination of the root cause of an overall failure of a business application service,” now issued U.S. Pat. No. 8,156,378.

U.S. patent application Ser. No. 12/979,237 filed on Dec. 27, 2010 titled “Assigning virtual machines to business application service groups based on ranking of the virtual machines,” now issued U.S. Pat. No. 9,354,960

U.S. patent application Ser. No. 12/979,245 filed on Dec. 27, 2010 titled “Automatic baselining of business application service groups comprised of virtual machines”.

U.S. patent application Ser. No. 12/979,259 filed on Dec. 27, 2010 titled “AUTOMATIC SIMULATION OF VIRTUAL MACHINE PERFORMANCE”.

U.S. patent application Ser. No. 12/979,255 filed on Dec. 27, 2010 titled “PERFORMING PREDICTIVE MODELING OF VIRTUAL MACHINE RELATIONSHIPS”.

U.S. patent application Ser. No. 12/979,222 filed on Dec. 27, 2010 titled “PERFORMING DEPENDENCY ANALYSIS ON NODES OF A BUSINESS APPLICATION SERVICE GROUP”.

The entire contents of each of the above mentioned applications are specifically incorporated herein by reference in their entireties.

TECHNICAL FIELD

Embodiments of The invention relate to analyzing network traffic analysis and, in particular, to performing automatic determining of resource allocation among virtual machines operating in service groups within a communications network.

BACKGROUND

Traditionally enterprises are comprised of various nodes that contribute to an overall business process. An enterprise may be thought of as a geographically dispersed network under the jurisdiction of one organization. It often includes several different types of networks and computer systems from different vendors.

These network nodes that are part of the enterprise may be comprised of both physical and virtual machines. Enterprise networks that include a plurality of virtual machines may require a physical host, which is required to allocate resources among the virtual machines. Allocating resources to these virtual machines may pose a challenge, especially with regard to over-allocating and under-allocating resources. Examples of resources may include memory, disk usage, CPU usage, etc. Too few resources allocated and the virtual machine will not provide the resources necessary to complete a business process. Too many resources allocated and resources may be wasted causing inefficiencies to occur in the enterprise network. Resource allocation should be dynamic and based on the present operating conditions of the enterprise network and its corresponding virtual machine(s) and physical host(s).

BRIEF DESCRIPTION OF THE DRAWINGS

Features of the invention are more fully disclosed in the following detailed description of the invention, reference being had to the accompanying drawings described in detail below.

FIG. 1 illustrates an example embodiment of a system for creating and updating an ontological description of a network.

FIG. 2 illustrates a detail of ontological creation engine, according to an example embodiment.

FIG. 3 illustrates an example graphical user interface to view threshold levels of operating resources, according to example embodiments of the present invention.

FIG. 4 illustrates another graphical user interface used to modify operating thresholds of different allocated resources, according to example embodiments of the present invention.

FIG. 5 illustrates an example flow diagram, according to example embodiments of the present invention.

FIG. 6A illustrates another example flow diagram of, according to example embodiments of the present invention.

FIG. 6B illustrates yet another example flow diagram of, according to example embodiments of the present invention.

FIG. 7 is a block diagram of an exemplary computer system that may perform one or more of the operations described herein, according to example embodiments of the present invention.

DETAILED DESCRIPTION

One example embodiment of the present invention may include a method of monitoring performance of a virtual machine operating in a network. The method may include monitoring the virtual machine operating in the network to determine whether at least one predefined service tier threshold has been exceeded for a predefined amount of time. The method may also include initiating a query to determine current performance threshold data of the at least one predefined service tier threshold from a database, and determining at least one component state of at least one component of the virtual machine based on the at least one service tier threshold assigned to the at least one component. The method may also include reallocating at least one resource provided by the virtual machine when the at least one component state indicates a high warning state.

Another example embodiment of the present invention may include an apparatus for monitoring performance of a virtual machine operating in a network. The apparatus may include a processor configured to monitor the virtual machine operating in the network to determine whether at least one predefined service tier threshold has been exceeded for a predefined amount of time. The apparatus may also include a transmitter configured to transmit a query to a database to determine current performance threshold data of the at least one predefined service tier threshold. The processor is further configured to determine at least one component state of at least one component of the virtual machine based on the at least one service tier threshold assigned to the at least one component, and reallocate at least one resource provided by the virtual machine when the at least one component state indicates a high warning state.

It will be readily understood that the components of the present invention, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of a method, apparatus, and system, as represented in the attached figures, is not intended to limit the scope of the invention as claimed, but is merely representative of selected embodiments of the invention.

The features, structures, or characteristics of the invention described throughout this specification may be combined in any suitable manner in one or more embodiments. For example, the usage of the phrases “example embodiments”, “some embodiments”, or other similar language, throughout this specification refers to the fact that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present invention. Thus, appearances of the phrases “example embodiments”, “in some embodiments”, “in other embodiments”, or other similar language, throughout this specification do not necessarily all refer to the same group of embodiments, and the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

In addition, while the term “message” has been used in the description of embodiments of the present invention, the invention may be applied to many types of network data, such as packet, frame, datagram, etc. For purposes of this invention, the term “message” also includes packet, frame, datagram, and any equivalents thereof. Furthermore, while certain types of messages and signaling are depicted in exemplary embodiments of the invention, the invention is not limited to a certain type of message, and the invention is not limited to a certain type of signaling.

Specific example embodiments of the present invention will now be described with reference to the accompanying drawings. This invention may, however, be embodied in many different forms, and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

It will be understood that when an element is referred to as being “connected” or “coupled” to another element, it can be directly connected or coupled to the other element, or intervening elements may be present. Furthermore, “connected” or “coupled” as used herein may include wirelessly connected or coupled. It will be understood that although the terms “first” and “second” are used herein to describe various elements, these elements should not be limited by these terms.

FIG. 1 illustrates an example logic diagram of a system 100 configured to deploy data collection agents onto network nodes, according to example embodiments of the present invention. Referring to FIG. 1 an application server 101 interfaces with a web browser 102 and a local agent data collection network element 500. Certain operations may be performed by the system 100, such as, monitoring network connections instantiated at each network node, acquiring resulting data, automatically creating an ontological description of the network from the acquired data, dynamically updating the ontological description, etc.

According to an example embodiment, elements of system 100 may utilize the Java® software platform and Enterprise Java Bean® (EJB) architecture to provide certain functionality. These well-known terms may be used in the description that follows. Other software platforms and architectures, providing similar functionality, may be used without departing from the scope of the present invention.

System 100 may consist of an application server 101, which interacts across a network with a number of data collection agents 500. Application server 101, may be an element of an administrative console (AC) that also provides a suite of network management tools. A system administrator may perform network traffic analysis and/or other network management tasks by accessing application server 101 through a web browser 102. Application server 101 may include an EJB module 612, an ontological description creation engine 613, and a web application 111. Web browser 102 may include a rendering engine 102B and a knowledge browser 102A.

In operation, data collection agent(s) 500 may be deployed onto network nodes including physical and/or virtual machines in an enterprise information technology (IT) infrastructure environment. After such deployment, application server 101 receives messages from data collection agents 500. These messages may include data representing, for example, state and relationship information about the network nodes, configuration information related to the IT infrastructure, performance/utilization data and network communication. Thresholds are assigned to a component and/or can also be assigned to an entire business application service group (BASG). A host may provide CPU usage as a resource allocated to a virtual machine, the CPU operational usage performance is an example metric. The virtual machine and host machine are both examples of components.

The received messages may be initially handled by EJB module 612. For example, message driven EJB 623 may initially inspect a received message. A received message relating to network traffic or node status may be forwarded by message driven EJB 623 to the business logic EJB 624. Business logic EJB 624 may call network traffic analysis engine 625 for messages relating to network traffic. Alternately, “infrastructure messages” (i.e., those messages relating to node status) may be forwarded directly to the state and profiling engine 626.

Messages forwarded to the state and profiling engine 626 may undergo sorting and processing. The state and profiling engine 626, for example, may identify the entities within the IT infrastructure as well as their dependency on one another, based on messages received from the platform. In addition, state and profiling engine 626 may perform further processing to determine the state of one or more entities. State may be based on a threshold that has been defined, for example, by the system administrator. The threshold may be based on a metric that either exceeds or underperforms in a specific area of interest of the system administrator. An example threshold may be set for a server operating in the enterprise network that is exceeding a specified CPU utilization percentage, a disk utilization percentage and/or a memory utilization percentage.

A data output from state and profiling engine 626 may be sent to ontological description creation engine 613. Initially, the data may be handled by a resource description framework (RDF) application programming interface (API) knowledge base 620, where the data is categorized and stored utilizing a predefined entity relationship determined by ontology web language (OWL) API or ontology model 621.

Messages handled by the network traffic analysis engine 625 may include source-to-destination data, qualified by a communicating application within the operating system of the originating node, as well as frequency of communication information. This received data is analyzed by processing the number and type of connections to determine if an ontological “communicates_with” relationship exists. A determination may be made by tracking the number of connections of a specific application over a period of time. The period of time may be preselected, for example, by the system administrator.

Data output from network traffic analysis engine 625 may be sent to ontological description creation engine 613. Initially, the data may be handled by the RDF API knowledge base 620 where the data is categorized and stored utilizing a predefined entity relationship, determined by OWL API ontology model 621. For example, OWL API ontology model 621 may define what entity classes exist, their possible relationship to each other, and their possible state.

FIG. 2 illustrates a detailed diagram of ontological description creation engine 613, according to example embodiments of the present invention. Referring to FIG. 2, as data is received by RDF API knowledge base 620, logic in the RDF API knowledge base 620 may map the incoming data to the appropriate ontological classes and relationships defined by OWL ontology API model 621. Once the correct classes and relationships are selected, the entity and relationship information may be entered into RDF API knowledge base 620. The knowledge base may also be forwarded to a SPARQL database or query engine 622 for later inference processing by inference engine 633. Inference engine 633 may determine inferred relationships based on the ontology model contained in OWL ontology API model 621.

The model and structure the system uses to create and update the knowledge base is contained within a web ontology language (OWL) file present on the application server 101. OWL is a family of knowledge representation languages for authoring ontologies which are a formal representation of the knowledge by a set of concepts within a domain and the relationships between those concepts. Ontologies are used to represent the properties of a domain, and may be used to describe the domain. The ontology provides the direct and indirect dependency information that the (SPARQL) query engine 622 requires in order to infer the impact a change in “state” will have on the rest of a service group or BASG.

In an enterprise network, a business application will typically include a primary application with one or more executables that execute on one or more nodes of the network. These nodes may have direct and indirect dependencies on other nodes of the network. The business application may be described by a network ontology. When an alert state occurs for the business application, the components of the business application ontology may be analyzed to determine what adjustments are required to achieve a steady state based on assigned thresholds. The root cause may be a direct or indirect root cause, which may then be reported to the system administrator.

According to an example embodiment, a visualization of a current network state and/or communication activity may be provided to an administrator. The system administrator may be provided with a visual rendering (e.g., on a computer monitor) of the knowledge base. The visualization may be filtered to any selected entity of interest. For example, referring again to FIG. 1, the system administrator or other user may use a web browser 102 to request rendering of data via web application 111 from controllers 627.

Controllers 627 may pass along any filtering information such as a specific Host ID. Next, business logic EJB 624 may be called by the controllers. Business logic EJB 624 may query RDF API knowledge base 620 for requested data. The requested data may be returned through controllers 627 to the web browser. The requested data may then be converted into a directed graph chart by a rendering engine.

Example embodiments of the present invention may provide the ability to automatically determine allocation adjustments that may be required for virtual machine performance, and monitoring the service tier thresholds assigned to a specified virtual machine. Thresholds are directly related to a node “state”. The state may be defined as an indicator to the system and the user of a business application service, such as, whether, the business application service meets a specified threshold requirement. The process to determine the state of an individual element may be based on a threshold that has been defined, for example, by the system administrator. The threshold may include a metric that either exceeds or underperforms in a specific area of interest of the system administrator. An example would be a server in a network that is exceeding a specified CPU utilization percentage.

Example embodiments of the present invention may provide automatically detecting when a virtual machine's baseline of performance requires an allocation change from the virtual machine's host. Determining the percentage of increase or decrease in CPU usage, memory usage, storage usage, and network usage may be required in order to maintain a baseline operating in a normal range.

The system 100 may monitor for a steady state of a virtual machine by tracking service tier thresholds identified as normal. The system will provide the virtual machine's host with the changes in performance allocations needed to operate within a normal range to continue or achieve a normal range. The adjustment is expressed in terms of a percentage increase or decrease from the present allocation of resources assigned to it by its physical host.

The following terminology is used only to distinguish one element from another element. Thus, for example, a first user terminal could be termed a second user terminal, and similarly, a second user terminal may be termed a first user terminal without departing from the teachings of the present invention. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items. The symbol “/” may also be used as a shorthand notation for “and/or”.

Networks including computer entities, physical and/or virtual machines operating on network nodes, etc., may be advantageously described via an ontology that describes the operational usage and current state of the entities rather than being based on a fixed IT infrastructure architecture. The ontological description may be automatically and dynamically updated based on data acquired from data collection agents deployed to the nodes of the network. The data collection agents observe communicative relationships based on connections between nodes in operational use, while annotating a class state. Using the ontological description, a network analyst or system operator may be provided with an improved ability to analyze network traffic.

Data relating to actual connections may be acquired automatically in near real-time. For example, an actual connection may be monitored in an interrupt-driven way while collecting information regarding an application that made the connection. Moreover a “volume for the connections” may be derived. A software-based data collection agent may be received by a computing device at a node within a communications network. The agent may be distributed to one or more nodes from a central node via the network.

Once the software-based data collection agent is received, it may be inserted in an operating system of the receiving node. Advantageously, the agent may be inserted in the kernel of the operating system or in a user space (i.e., an area in virtual memory of a computer that contains user applications that execute at the application layer). The installation may be performed such that it is transparent or undetectable by a user of the node. The installed data collection agent may monitor data packet traffic between an adaptive driver layer and a protocol layer and report results of the monitoring to the central node.

In one example, the data collection agent 500 may have an interface to an operating system's network stack and may periodically determine what applications are using the network stack. As a result, the data collection agent may track information regarding a network connection, the connection duration, and any applications and systems involved in the connection. Moreover, the data collection agent 500 may normalize the foregoing information and report it to an administration console so that different operating systems may be correlated by the administration console.

As a further example, the data collection agent 500 may include a network filter inserted into the network stack to determine exactly when a connection is made between entities. The filter component of the data collection agent may be inserted at one or more layers of the OSI model. For example, a data collection agent 500 may have a filter interface at the transport layer and/or a filter interface at the network layer. The data collection agent 500 may track information regarding a network connection, the connection duration, and any applications and systems involved in the connection. Moreover, the data collection agent may normalize the foregoing information and report it to the administration console so that different operating systems may be correlated by the administration console.

As yet a further example, the data collection agent 500 described in the preceding paragraphs may also include a packet filter inserted into the network stack to track connection data. For example, a data collection agent 500 may have a filter interface at the data link layer. Then, the data collection agent 500 may correlate and normalize (if required) data from the network filter and the packet filter to track information regarding the network connection, the connection duration, any applications and systems involved in the connection, connection status and connection resource usage information. Moreover, the data collection agent 500 may normalize the foregoing information and report it to the administration console so that different operating systems may be correlated by the administration console.

Referring again to FIG. 1, an illustrative system 100 for deploying data collection agents onto network nodes, monitoring network connections instantiated at each network node, acquiring resulting data, automatically creating an ontological description of the network from the acquired data, and dynamically updating the ontological description will be described. The system 100 may further be used for monitoring configuration drifts within an enterprise network as will be described in more detail below. In an example embodiment, elements of system 100 utilize the Java software platform and Enterprise Java Bean (EJB) architecture to provide certain functionality, and these well-known terms may be used in the description that follows.

According to example embodiments of the present invention, the process to automatically determine a performance allocation may begin by monitoring those virtual machines that have sustained a service tier threshold in either a critical low and/or a critical high level for more than 24 hours. Such an observation may be observed by the virtual machine agent. The SQARQL query engine 622 simultaneously initiates a query for current performance threshold data stored in a database.

The components' states may be determined since they have thresholds that include at least one of achieved, overachieved, and/or underachieved. Nodes, executables and the business application service groups (BASGs) may also incorporate status and alerts from infrastructure providers. The executables may have a state that relates to the “communicates_with” relationship. For example, if an executable such as sqlservr.exe no longer communicates_with node X, it may be designated critical high and indicated on a user interface as red or as a warning. This example may be true of a node that represents a “communicates_with” relationship as well as a primary application represented as a node.

The state and profiling engine 626 may set the state of the business application service group (BASG) using the agent data and system information. When any component of the BASG has achieved a “High Warning” state, the user may view the component as red (indicating a high warning) as well as the BASG itself being displayed in red on a graphical user interface of FIG. 3.

The process to determine the state of an individual element may be based on a threshold(s) that has been defined, for example, by the system administrator. The threshold may include a metric that either exceeds or underperforms in a specific area of interest to the system administrator. An example would be a server operating in a network that is exceeding a specified CPU utilization percentage.

FIG. 3 illustrates an example graphical user interface (GUI) used to demonstrate application and device threshold compliance, according to example embodiments of the present invention. Referring to FIG. 3, a large array of performance metrics are illustrated to represent the current operating states of various applications, processes and devices. Colors may be used to illustrate the corresponding operating performance levels. For example, green (indicator 304) may indicate good performance, yellow (indicator 306) may indicate higher cautionary operating conditions and red (indicator 302) may indicate that the predefined threshold for a particular process has been exceeded and must be addressed by reallocation of resources. Other visual indicators may be provided to illustrate different operating performance levels. For example, various shapes (indicators 308, 310 and 312 and) can be used as visual indicators of operating performance levels. Other exemplary indicator may include sizes, shades, etc.

FIG. 4 illustrates another example GUI according to example embodiments of the present invention. Referring to FIG. 4, the service tier thresholds may be edited manually by a system administrator. In this example, two different network resources are illustrated to include CPU utilization and disk utilization. These resources may be provided by a virtual machine operating on the network. Other resources (not shown) but described herein may also be modified by this GUI.

According to one example, a CPU threshold may be established via menu option 401. Service tier thresholds may include various different levels, such as, a low error threshold, a low warning threshold, a high warning threshold and a high error threshold. Similarly, a menu option 402 may be used to modify thresholds for disk space utilized. These various threshold levels may be established automatically and/or manually by a system administrator. The user may select a threshold window that the system may use to monitor operational usage.

According to one example, if the user sets a red zone “red” to be between 90-100% CPU usage, then the state of the node in question will be set to a red if the operational usage condition of 90-100% occurs 3 times within 5 minutes (or a similar set of occurrences). The threshold is set by the user per the high error threshold of 90% usage. Similarly, a high warning threshold of 80% may be set to create an orange zone warning at 80% or more CPU usage, which may be used to merely notify the system administrator that a first threshold has been exceeded. On the flip side, the low CPU usage may be monitored by a low performance threshold including a low warning threshold and low error threshold set at 20% and 10%, respectively. Similar operational parameters may be established to monitor disk usage, and, other metrics not shown.

The states of the individual business application service components may be aggregated to calculate an overall state for the BASG. Any support nodes within the BASG ontology that have achieved a high warning alert may be labeled under the BASG as having a high warning. If any one node with a “communicates_with” relationship achieves a high warning status, it is identified as having a high warning for its associated BASG. High errors may be identified in a similar manner. For example, in order for a node to achieve one of these identified states, the states must have been observed and processed by the state and profiling engine three times within one hour. As a result, spurious errors and random faults will not lead to warnings being generated for the overall business application process.

One example method for processing state information of elements of a business process ontology and more specifically for a BASG that is in an error state will now be described with reference to FIG. 5. The method of FIG. 5 may be performed by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (such as instructions run on a processing device), firmware, or a combination thereof. In one embodiment, the method is performed by a server (e.g., application server 101 of FIG. 1).

At operation 501, a query is sent to the RDF knowledgebase 620 that identifies the BASG that is currently in an error state. The RDF knowledge base 620 returns the list of components of the BASG (e.g., hardware nodes, virtual nodes, executables, processes, primary applications, etc) and their present state.

It should be noted that the primary application of the BASG is considered by the RDF knowledge base to be a “node.” Any of these components of the BASG may have independent thresholds assigned by the system administrator. Examples of components may include virtual machines, host machines, storage devices, network devices, etc. Examples of resources that are allocated to the components may include memory, CPU, storage disk space, network adapters, etc. Examples of metrics may include a CPU utilization of 1024 Ghz, a memory utilization of 8 gigabytes, a network adapter operating at 100 Mbps, etc.

At operation 502, a filter is applied to determine those components that may have contributed to the “high warning” threshold that was exceeded and, which, in turn, triggered an alarm. In one example embodiment, the filter omits any individual component that has not exceeded a “high warning” threshold individually from the process. This may reduce the chances of false alarms occurring due to random instances of a predefined threshold being exceeded.

At operation 503, the process continues by inspecting each of the filtered components to determine a root cause. The inspection process looks-up performance data previously reported by the agents deployed to the nodes. The inspection process may yield all of the component's relevant data for determining a root cause. In one example, the data used for this determination process is service tier data, such as, CPU, memory, disk, and network operation threshold roll-up data (last 30 days, etc.), although, other relevant data may also be used.

The root cause process may also use virtualization infrastructure alarms and network status updates. These are available to the system 100 for host, virtual machines, disks, and network devices, and may be sent in messages from a proxy agent. The proxy agent may contain an instruction for translating virtual infrastructure messages to a format that the state and profile engine 626 can process. If, for example, the proxy agent receives a message from the virtual infrastructure indicating a disk has achieved full capacity and has an error level of 3, the proxy agent will modify the received message with a translation on the “level of 3” to “High Error.” This is then sent to the message driven bean factory 623, where an EJB is created with the contents received from the proxy agent. The business logic 624 then routes the new state EJB to the state and profiling engine data 626 for the executables. This is provided to the user as evidence for the root cause conclusion.

The SPARQL query engine 622 determines the state of the primary applications and the contributing executables that make up the primary application by requesting the ontology for the business application service. The ontology is analyzed for breaks in communication with nodes, as described in the Applicant's co-pending applications referenced above.

The SPARQL query engine 622 will send a request to the agent to send back the performance statistics of the executables that make up the primary application of the business application service. This will provide the user with the real-time performance statistics of the executables to provide support for a conclusion that a root cause of failure is due to the failure of the primary application support nodes, at operation 504. The result of conclusion may automatically trigger a recommendation to perform an increase and/or decrease in the present resource allocation of resources provided by a virtual machine(s), at operation 505. For example, CPU resources and disk space may be reallocated from among the network resources by the system administrator as a result or receiving the recommendation. Or, alternatively, certain reallocation measures may be performed automatically.

System 100 may comprise an application server 101, which interacts across a network with a number of data collection agents 500 deployed in various nodes of the network. Advantageously, application server 101, may be an element of an administrative console (AC) that also provides a suite of network management tools. A system administrator may perform network traffic analysis and/or other network management tasks by accessing application server 101 by way of web browser 102. Application server 101 may comprise an EJB module 612, an ontological description creation engine 613, and a web application 111.

Data collection agents 500, as described through the specification, may be deployed onto network nodes including physical and/or virtual machines in an enterprise IT infrastructure environment. After such deployment, application server 101 receives messages from data collection agents 500. These messages may include data representing, for example, state and relationship information about the network nodes, configuration information related to the IT infrastructure, performance/utilization data and network communication.

The received messages may be initially handled by EJB module 612. For example, message driven EJB module 623 may initially inspect a received message. A received message relating to network traffic or node status may be forwarded by message driven EJB 623 to the business logic EJB 624. Business logic EJB 624 may call network traffic analysis engine 625 for messages relating to network traffic. Alternatively, “infrastructure messages” (i.e., those relating to node status) may be forwarded directly to the state and profiling engine 626.

Messages forwarded to the state and profiling engine 626 may then undergo sorting and processing. The state and profiling engine 626, for example, may identify the entities within the IT infrastructure as well as their dependency on one another, based on messages received from the platform. In addition, state and profiling engine 626 may perform further processing to determine the state of one or more entities. The states may be based on a threshold that has been defined, for example, by the system administrator. The threshold may be based on a metric that either exceeds or underperforms in a specific area of interest to the system administrator. An example would be a server operating in a network that is exceeding a specified CPU utilization percentage. The threshold may be set to 80% CPU utilization and if the server is operating at 81%, the threshold is being exceeded.

Example embodiments for determining a required resource allocation of a virtual machine based on thresholds are discussed below. The web application server business logic creates a message request to provide the necessary changes in virtual machine performance allocation variables to create a condition of no critical low and/or no critical high conditions for the next 24 hours. If the recommended change is not successful, the cycle repeats by incrementing the 24 hour period with no critical low and/or no critical high warning by the service tier threshold system. Another 24 hour monitoring period may then begin.

A recommendation of a change in a variable by a factor of 10% (increase or reduction) may be a general modification used to satisfy a threshold condition that has been exceeded/underperformed. The 10% factor modification may be used until the virtual machine exceeds a performance request, which results in the web browser 102 initiating a message to the web application 111 and controllers 627 of the virtual machine. This modification, in turn, creates a message driven entity bean that contains the request, which is transferred to a rules engine. The rules engine sends a request to gather a historical period of information to the web browser 102. Such historical information may be for a period of 1 to 90 days. The rules engine (not shown) may be part of creation engine 613 and/or EJBs 612.

The rules engine message is sent to a database (not shown) to gather the data tables requested. The database sends the data back to the rules engine. The rules engine factors the data resulting in a recommendation to increase or decrease the allocation for each of the performance threshold criteria, which may include, for example, CPU utilization, memory utilization, data storage utilization, and network resource utilization.

The resource modification recommendation is created by the rules engine 613. The rules engine 613 may perform averaging the actual threshold observed by the service tier threshold integer (0-100 scale). The average is only taken from metrics observed while the virtual machine is observed in its normal operating range. If no normal range is observed, than the rules engine will increment the recommended change by increasing or decreasing the allocated resource(s) by 20% until a normal range is observed over a period of 24 hours. According to one example, the recommended increase or decrease is only 10% for a period following 24 hours if the data gathered does contain “normal” range input data.

A proxy agent (not shown) may be part of the local agent that 500 that is used to collect data. In operation, the proxy agent collects data from the virtual infrastructure management provider. The user will utilize the default thresholds or adjust them as deemed necessary. Thresholds are used by the state and profile engine for tracking the “state” of the nodes that make up the components for a business application process. The inventory in the database may be updated by the proxy agent with a list of virtual machines, storage, hosts, and network devices.

The agent may be deployed via the physical hosts connected directly to the virtual machine's O/S. The state and profile engine 626 assigns the “state” of the various network components and receives additional input from the proxy agent to factor into the “state” (e.g., alarms, network, and “communicates_with” relationship status) and updates the RDF knowledge base ontologies to reflect the assignments. The agent tracks executable applications to see what other nodes are communicating with the virtual machines (VMs) in the enterprise.

The traffic analysis engine determines which executable applications and services are communicating with other nodes that constitute a “communicates_with relationship.” A determination may be made as to whether any pairs of nodes have a “communicates_with relationship.” Upon the assignment of a “communicates_with” relationship to the ontology of a node and its direct and indirect relationships, the state and profiling engine 626 assigns the group of nodes as a “service group.”

The RDF knowledge base 620 contains an ontology for each individual node. The model and structure the system uses to create and update the knowledge base is contained within the ontology web language (OWL) file present on the application server 101. The state and profiling engine 626 tracks the “state” continually of the components and receives additional input from the proxy agent to factor into the “state” (e.g., alarms, network, and “communicates_with” relationship status).

The user may identify a “service group” of network nodes as a business application service group (BASG) by selecting a name for the group of nodes and the executables that are the basis for the “communicates_with” relationship. The user may also add nodes that the system did not auto-detect as a component of the service group. Those added nodes will be recorded and stored in the ontology model 621.

A determination may then be made as to whether the user has assigned additional nodes and/or names to the service group. The ontology itself provides the direct and indirect dependency information of the nodes that the SPARQL query engine 622 requires to infer the impact a change in “state” will have on the rest of the service group. For instance, if a storage device's (component) state is changed to “RED” because it is almost full (e.g., only two gigabytes left of a 1500 gigabyte memory) then this may cause the physical host to start the paging memory, which will effect the performance of any and all virtual machines running on that physical host.

The SPARQL query engine 622 parses the service group ontology for the components that have a “communicates_with” relationship, which forms the basis for a primary application. The state and profiling engine 626 tracks the “state” of the BASG by requesting the current “state” from the RDF knowledge base 620 and updating the ontology when any new messages are received from the business logic EJB factory 624. The ontology itself provides the direct and indirect dependency information the SPARQL query engine 622 requires to infer the impact a change in “state” will have on the rest of the BASG. SPARQL query engine 622 parses the BASG ontology for the components that have a “communicates_with” relationship, which forms the basis for a primary application.

According to one example, SPARQL query engine 622 provides a list of candidate BASG members for base-lining and adjusting as needed to achieve “normal” acceptable performance levels. By parsing the BASG ontology for primary applications that have “communicates_with” relationships with “virtual machines” that have operated in a “normal” level of threshold for 3 consecutive business cycles, a list of qualifying components may be produced.

Example embodiments for determining a required resource allocation of a virtual machine based on thresholds are depicted in the flow diagrams of FIGS. 6A and 6B. The method of FIGS. 6A and 6B may be performed by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (such as instructions run on a processing device), firmware, or a combination thereof. In one embodiment, the method is performed by a server (e.g., application server 101 of FIG. 1).

The SPARQL query engine 622 determines the performance allocation by monitoring those virtual machines that have sustained, or, operated within a service tier threshold in either a critical low and/or critical high state for more than 24 hours, or an appreciable amount of time (see operation 601 of FIG. 6A). The service tiers are assigned to a given user configuration and/or a default threshold configuration.

The SQARQL query engine 622 simultaneously initiates a query for current performance threshold data in a database (see operation 602). The components states are determined relative to predefined thresholds to determine whether an achieve, over-achieve, or under-achieve status is present (see operation 603). Nodes, executables and the business application service groups BASGs may also incorporate status and alerts from infrastructure providers. The executables may have a state that relates to the “communicates_with” relationship. Status and alerts are provided by the virtual infrastructure vendors and are received via the proxy module in the local agent 500. Example statuses and alerts may include network failure, disk full, and any messages or changes in status tracked by an external hypervisor, such as, an ESX server or a MS hyper-V.

The state and profiling engine 626 sets the state of the business application service group using the agent data and system information (see operation 604). In one embodiment, when any component of the BASG has achieved a “high warning” state, the user sees the component as red (indicating high warning) as well as the BASG as red in a graphical user interface. The process to determine the state of an individual element may be based on a threshold that has been defined. The threshold may include a metric that either exceeds or underperforms in a specific area of interest to the system administrator.

A recommendation of a resource allocation adjustment of a variable by a factor of 10% may be performed by transmitting an adjustment variable (see operation 605 of FIG. 6B). The rules engine sends a request to gather historical information for a predefined period of time, selected at the web browser 102, such as, for a period of 1 to 90 days. The rules engine message is sent to the database to gather the data tables requested. The database sends the data back to the rules engine, which uses the data to create a recommendation to increase or decrease the allocation for each of the performance threshold criteria (CPU usage, memory usage, storage usage, and network parameters) (see operation 606).

The recommendation is created by the rules engine 613 averaging the actual threshold observed by the service tier threshold integer (0-100 scale). For example, if the average CPU usage is 70% in one 24 hour period and 100% for a second 24 hour period, an average actual threshold may be 85%. The average is only taken from metrics observed while the virtual machine is observed in the normal range. If no normal range is observed, then the rules engine will increment the recommended change to increase or decrease by 20% until a normal range is observed over the following 24 hours. The recommended increase or decrease change is only 10% for the following 24 hours if the data gathered contains “normal” range input data.

The SPARQL query engine sends a request to the middle ware that then initiates a message to the web server to send a web service data interface message to initiate the change in resource allocation (see operation 607). A determination is then made as to whether the change in the resource allocation was successful (see operation 608). If not, the cycle repeats by incrementing the 24 hour period with no critical low and/or no critical high warning by the service tier threshold system (see operation 609). If the change was successful, the process ends.

FIG. 7 illustrates a diagrammatic representation of a machine in the exemplary form of a computer system 1000 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In alternative embodiments, the machine may be connected (e.g., networked) to other machines in a Local Area Network (LAN), an intranet, an extranet, or the Internet. The machine may operate in the capacity of a server or a client machine in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines (e.g., computers) that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.

The exemplary computer system 1000 includes a processing device 1002, a main memory 1004 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 1006 (e.g., flash memory, static random access memory (SRAM), etc.), and a secondary memory 1016 (e.g., a data storage device), which communicate with each other via a bus 1008.

Processing device 1002 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device 1002 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 1002 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. Processing device 1002 is configured to execute instructions 1026 for performing the operations and steps discussed herein.

The computer system 1000 may further include a network interface device 1022. The computer system 1000 also may include a video display unit 1010 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1012 (e.g., a keyboard), a cursor control device 1014 (e.g., a mouse), and a signal generation device 1020 (e.g., a speaker).

The secondary memory 1016 may include a machine-readable storage medium (or more specifically a computer-readable storage medium) 1024 on which is stored one or more sets of instructions 1026 embodying any one or more of the methodologies or functions described herein. The instructions 1026 may also reside, completely or at least partially, within the main memory 1004 and/or within the processing device 1002 during execution thereof by the computer system 1000, the main memory 1004 and the processing device 1002 also constituting machine-readable storage media.

The machine-readable storage medium 1024 may also be used to store software performing the operations discussed herein, and/or a software library containing methods that call this software. While the machine-readable storage medium 1024 is shown in an exemplary embodiment to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention. The term “machine-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media.

Some portions of the detailed description above are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “receiving”, “determining”, “encrypting”, “decrypting”, “sending” or the like, refer to the actions and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (e.g., electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.

Embodiments of the invention also relate to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions.

The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear from the description below. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein.

The operations of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a computer program executed by a processor, or in a combination of the two. A computer program may be embodied on a computer readable medium, such as a storage medium. For example, a computer program may reside in random access memory (“RAM”), flash memory, read-only memory (“ROM”), erasable programmable read-only memory (“EPROM”), electrically erasable programmable read-only memory (“EEPROM”), registers, hard disk, a removable disk, a compact disk read-only memory (“CD-ROM”), or any other form of storage medium known in the art.

An exemplary storage medium may be coupled to the processor such that the processor may read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (“ASIC”). In the alternative, the processor and the storage medium may reside as discrete components.

It is to be understood that the above description is intended to be illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reading and understanding the above description. Although the present invention has been described with reference to specific exemplary embodiments, it will be recognized that the invention is not limited to the embodiments described, but can be practiced with modification and alteration within the spirit and scope of the appended claims. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than a restrictive sense. The scope of the invention should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

While preferred embodiments of the present invention have been described, it is to be understood that the embodiments described are illustrative only and the scope of the invention is to be defined solely by the appended claims when considered with a full range of equivalents and modifications (e.g., protocols, hardware devices, software platforms etc.) thereto. 

What is claimed is:
 1. A method comprising: monitoring, by a processing device, a virtual machine operating in a network to determine whether at least one predefined service tier threshold has been exceeded for a predefined amount of time; initiating, by the processing device, a query to determine current performance threshold data of the at least one predefined service tier threshold from a database, the current performance threshold data indicating a number of times the at least one predefined service tier threshold has been exceeded by at least one component of the virtual machine during the predefined amount of time; determining, by the processing device, at least one component state of the at least one component of the virtual machine based on the at least one service tier threshold, wherein determining the at least one component state comprises setting the at least one component state to a state associated with the at least one service tier threshold if the number of times the at least one predefined service tier threshold has been exceeded reaches an occurrence number threshold associated with the at least one predefined service tier threshold within the predefined amount of time; responsive to determining the at least one component state, analyzing, by the processing device, past performance data of the at least one component from the database; and reallocating, by the processing device, at least one resource provided by the virtual machine to another virtual machine in response to the at least one component state indicating a high warning state, in view of the analyzed past performance data.
 2. The method of claim 1, further comprising: transmitting an indication to a system administrator indicating the high warning state.
 3. The method of claim 1, wherein the at least one component comprises at least one of an application, process or device.
 4. The method of claim 1, wherein the high warning state is based on the at least one service tier threshold being exceeded or underperformed by a predefined amount over the predefined amount of time.
 5. The method of claim 1, wherein the predefined amount of time is 24 hours.
 6. The method of claim 1, wherein the predefined service tier threshold indicates a critical low operating condition.
 7. The method of claim 1, wherein the predefined service tier threshold indicates a critical high operating condition.
 8. The method of claim 1, wherein the predefined service tier threshold is based on at least one of CPU utilization, occupied disk space, occupied memory space or network resource utilization.
 9. An apparatus comprising: a memory to store instructions; and a processor, executing the instructions and coupled to the memory, to monitor a virtual machine operating in a network to determine whether at least one predefined service tier threshold has been exceeded for a predefined amount of time; initiate a query to a database to determine current performance threshold data of the at least one predefined service tier threshold, the current performance threshold data indicating a number of times the at least one predefined service tier threshold has been exceeded by at least one component of the virtual machine during the predefined amount of time; determine at least one component state of the at least one component of the virtual machine based on the at least one service tier threshold, wherein determining the at least one component state comprises setting the at least one component state to a state associated with the at least one service tier threshold if the number of times the at least one predefined service tier threshold has been exceeded reaches an occurrence number threshold associated with the at least one predefined service tier threshold within the predefined amount of time; responsive to determining the at last one component state, analyze past performance data of the at least one component from the database; and reallocate at least one resource provided by the virtual machine to another virtual machine in response to the at least one component state indicating a high warning state, in view of the analyzed past performance data.
 10. The apparatus of claim 9, wherein the processor is further to provide an indication to a system administrator indicating the high warning state.
 11. The apparatus of claim 9, wherein the at least one component comprises at least one of an application, process or device.
 12. The apparatus of claim 9, wherein the high warning state is based on the at least one service tier threshold being exceeded or underperformed by a predefined amount over the predefined amount of time.
 13. The apparatus of claim 9, wherein the predefined amount of time is 24 hours.
 14. The apparatus of claim 9, wherein the predefined service tier threshold indicates a critical low operating condition.
 15. The apparatus of claim 9, wherein the predefined service tier threshold indicates a critical high operating condition.
 16. The apparatus of claim 9, wherein the predefined service tier threshold is based on at least one of CPU utilization, occupied disk space, occupied memory space or network resource utilization.
 17. A non-transitory computer readable medium comprising instructions that when executed cause a processor to perform operations comprising: monitoring the virtual machine operating in a network to determine whether at least one predefined service tier threshold has been exceeded for a predefined amount of time; initiating a query to determine current performance threshold data of the at least one predefined service tier threshold from a database, the current performance threshold data indicating a number of times the at least one predefined service tier threshold has been exceeded by at least one component of the virtual machine during the predefined amount of time; determining at least one component state of the at least one component of the virtual machine based on the at least one service tier threshold, wherein determining the at least one component state comprises setting the at least one component state to a state associated with the at least one service tier threshold if the number of times the at least one predefined service tier threshold has been exceeded reaches an occurrence number threshold associated with the at least one predefined service tier threshold within the predefined amount of time; responsive to determining the at least one component state, analyzing past performance data of the at least one component from the database; and reallocating at least one resource provided by the virtual machine to another virtual machine in response to the at least one component state indicating a high warning state, in view of the analyzed past performance data. 